Whether you love or hate Microsoft, one things for sure: Windows 2000 migrations can ease your financial pain during the current economic slowdown.
Now that Windows 2000 has been around for a year or so, and the first wave of patches is available, many Windows NT network managers are making the move to Windows 2000 Advanced Server.
Just ask Rory and Jeff (not their real names), two seasoned network managers who recently got their hands dirty deploying Windows 2000 Advanced Server and its bundled directory service, known as Active Directory. Rory is a consultant with Master Certified Novell Engineer (MCNE) and Microsoft Certified Systems Engineer (MCSE) qualifications. He helped a midsize manufacturing company (15 sites and 3,200 users) move from an NT-based network to Windows 2000 and Active Directory. After completing the upgrade, he was hired on as the network architect, reporting to the VP of operations. Jeff is a senior network administrator for an insurance company that was running a mixed NT and Novell NetWare network that spans roughly 1,100 users. He led the companys migration to Windows 2000 and Active Directory.
Why make the move? The answers are quite simple. Generally speaking, Windows 2000 Advanced Server is more stable than NT Server 4.0. Moreover, Windows 2000 allows customers to move to Active Directory. The new Microsoft directory has several rough edges compared with Novell Directory Services and eDirectory, but Active Directory is a vast improvement over NT 4.0s antiquated domain-based system.
Heres why: Under Windows NT Server 4.0, each domain has separate users—if a user needs resources in several domains, they must have accounts and passwords for each domain. Permissions for administration across multiple domains, known as trust relationships, must be established between each domain, creating a very complex web of relationships. Each domain must have a primary domain controller (PDC)—a server that keeps all of the information on the domain. Theres no simple way to back up all domain information for multiple domains at once. Applications that provide management services typically maintain their own databases, producing a large number of disparate databases that must be kept up to date.
With Active Directory, all users and objects on the network (servers, shared disk space, printers, etc.) are organized in a single hierarchical directory. Approved users have to log in only once to gain access to any network resource. Administrators can be granted rights to administer any network object, no matter where its located. The directory tree exists as a single database that can be backed up and replicated, ensuring that all corporate data is easily protected. Simply put, Active Directory provides a central repository for consolidating network management information.
Double-Edged Sword The problem with directory services is essentially the same as the advantage—it is an entirely new way of doing things for NT administrators and systems integrators. Customers will welcome the potential savings in server consolidation, easier management and improved desktop control. But, as with any major upgrade, the journey to Windows 2000 can be challenging.
Ironically, one of the best resources for integrators who are anxious to add expertise in directory services is the Certified Novell Engineer (CNE) program. CNEs already are familiar with directories, in the form of eDirectory and/or NDS. While there are differences between Novells version and Microsofts, the similarities may give CNEs a leg up over Microsoft Certified Engineers during a Windows 2000 Advanced Server installation.
Just ask Rory and Jeff. Both Windows 2000 experts say the hardest part of the upgrade was the planning phase, which included translating their existing network structure to a directory-based structure and educating networking staff as well as users on what the changes would mean. Both customers had multiple NT domains per site, which made for a complicated migration.
Says Rory: “The nicest part of moving to AD was that we could create an entirely new directory structure, based on logical groups, rather than server logins and geographic boundaries. It was harder to explain to network admins than to users. I also loved that we could assign administrative rights at any level, in a very granular way.”
In Jeffs case, managements original mandate was to move from NT domains and Novell Directory Services (NDS) to AD. Instead, the team convinced management to use NDS for NT to consolidate the NT domains, and then move everything over to AD.
“NDS for NT works well enough that it wouldnt have been a problem to leave NDS in place,” concedes Jeff. “But management wanted to remove the requirement for NetWare servers and the special Novell clients required to administer NDS. By using NDS for NT to consolidate NT domains and handle the migration, we were able to leverage our existing experts in NDS to merge the domains into our existing directory structure, then move the whole thing over to AD.”
Alternate Consolidation Remedies There are two basic approaches to consolidating NT domains: merging them before the upgrade, generally through the use of tools such as NDS for NT or Domain Migrator, which Microsoft acquired from Mission Critical Software (now NetIQ); or moving everything to AD, and then consolidating the domains.
“The best part about consolidating the domains first was that we were able to try a couple of different organizational structures in the real world, transparently to the users,” Jeff says. “Using NDS for NT, we were able to keep the existing domain structure in place for users, and merge all the information into NDS without impacting users. We tried a couple of different directory structures, one based on company units, the other on organizational units (such as marketing, sales, engineering), all without impacting users, since their existing groups and organizations were retained. Once we settled on a directory structure, we used ZENworks to roll out W2K Pro to all the desktops, merged NDS over to AD, and everyone had the new system in place within a few days.”
Rory used the alternate approach. His team decided on the network directory structure, upgraded everyone to Windows 2000 Pro, then migrated from NT domains to the new AD structure. “We liked the idea of staged deployment,” says Rory. “We upgraded all workstations to Pro first, let everyone get used to that, then deployed the new primary AD server, then moved all the PDCs over, then the rest of the servers. Finally, after that was all done and verified, we started consolidating groups and moving resources around. It took us about six months to get the whole thing ironed out, but we felt it was safer than an overnight upgrade.”
Rory says creating a new root AD server, rather than converting the PDCs directly to Active Directory, was well worth the expense of the extra server because it let them have both the previous domain structure and the new AD structure in place simultaneously.
Jeff ran into some problems with updating and replicating Active Directory over WAN links. The insurance company had a large number of sales offices connected via dialup, ISDN or DSL. Most had a local NT server that also served as one users workstation. When the domains were consolidated and the local workstations were all converted to Windows 2000 Professional, most of the remote offices were left authenticating over WAN links.
That caused many problems when the WAN links were down for any reason, or when large numbers of changes to the directory came through. They eventually solved the issue by making one workstation at each site a Windows 2000 server, and replicating the directory locally.
Mind-Numbing Mapping Understanding the strategies for moving from domains to AD is important, and not necessarily easy. In a network with a complex domain structure, just mapping the changes from a geographically based user- and resource domain structure to the logical organization of a directory structure can be exceedingly complex. For instance, ensuring that the four “lsmith” user IDs in four different domains are the same user (or not, as the case may be) gets complicated.
In a large company, a complete listing of all network resources and objects (users, printers, groups, file-share volumes, etc.) can be many thousands of objects. In a domain-based network, many of the objects can be either multiple instances of the same object, such as one user with logins in multiple domains. They also may be multiple actual devices with the same name in different domains, such as a printer_1 entry in several different domains that identifies different printers in each case. All of these entries must be found and uniquely identified.
Usually the best time for the rollout coincides with business cycles. Get an early view on the developments on the applications side, both commercial and internal, that can change your schedule. Dont forget to include the testing time for any new software in your plans.
In companies with multiple locations, an important step is the geographic layout of the systems. Thats when the systems and network people need to be in the same room. Remote locations will have their own domain controller and/or a catalog controller. The communications links must be able to handle the normal traffic of the location plus the replication traffic, or clients will be unhappy.
Other Prescriptions Microsoft is concerned enough about migration from domains to AD that it acquired Zoomit Corp., a meta-directory company, and, as stated earlier, acquired technology from Mission Critical Software. Both the former Zoomit product and Mission Criticals Domain Migrator can help ease the transition from domains to AD. Check out the simulation tools at www.microsoft.com/windows2000/library/resources/reskit/deploymentscenarios/ default.asp.
There are also a number of other tools available to help consolidate domains and ready an existing network for the conversion to AD. They include: bv-Admin and bv-Control from BindView (www.bindview. com); Directory and Resource Administrator, Domain Migra-tion Administrator, and Server Con- solidator from NetIQ (www.netiq. com); and DM/Active Roles, DM/Manager, DM/Reporter, DM/Consolidator and DM/Reconfigure from FastLane Technologies (www.fastlane.com).
Those companies provide tools that can be used to manage existing NT domain-based networks, as well as Active Directory networks, and to ease the transition between the two. The products can produce lists of network objects, help discover duplicate entries in multiple domains, help establish naming conventions for the new AD structure, and allow management of both existing domains and Active Directory from a single console, allowing some domain-based structures to be retained and managed easily.
Since the Microsoft juggernaut moved into the networking arena a few years ago, finding experienced CNEs has become easier, though they are still in demand.
CNEs with NetWare 4 or NetWare 5 experience should make the transition to AD relatively painlessly. Administrators with a Vines or Streettalk background are also familiar with directory concepts and may make the transition to Active Directory more easily than experienced Microsoft admins without directory training or experience.
Partnering with other providers to fill in gaps in expertise could include working with Microsoft itself (Microsoft Consulting Services), Internet service providers, consultancies, and some of the software vendors that make consolidation tools. Given the cost of hiring experienced network managers, finding partners may be a more cost-effective solution, as long as you can verify some real experience in the areas in which youre looking.
Regardless of who does the work, make sure that the job is segmented into measurable chunks and that milestones, when met, are communicated to the client. Its essential to don your project management hat.
Its unlikely that Microsoft will develop and give away a tool that simplifies the transition from NT to Windows 2000, so there should be excellent opportunities for integrators to provide the needed expertise. If you can develop and retain that expertise, its bound to add to your bottom line.